Another way to protect your SSH keys

Jun 17, 2014,
Categories: security,network,unix

Let’s say you don’t have a TPM chip, or you hate them, or for some
other reason don’t want to use it to protect your SSH keys.
There’s still hope! Here’s a way to make it possible to use a key
without having access to it. Meaning if you get hacked the key can’t
be stolen.

No TPM, but key can’t be stolen anyway? Surely this is an elaborate
ruse? Well yes, it is. My idea is that you essentially bounce off of
a Raspberry Pi.

But doing that straightforward is too easy. I’ve instead made an SSH
proxy, and will show you how to automatically bounce off of it. You
could do the same by setting up a second SSH server (or the same one),
and hack around with PAM and a restricted shell. But this solution can
be run as any user, with just the binary and the set of keyfiles. Very
simple.

The goal here is to log in to shell.foo.com from your workstation
via a Raspberry Pi. The workstation SSH client presents its SSH client
key to the SSH Proxy on the Raspberry Pi, and if allowed will connect
on and present the SSH Proxy client key to shell.foo.com.

It doesn’t have to be a Raspberry Pi, of course, but the idea here is
to have it be a dedicated machine that you never log in to otherwise,
and one nobody else has access to. A virtual machine will not do,
since the host system has access to virtual machines.

1. Get a Raspberry Pi

Get it up and running with SSH, and lock down every other port except,
say 2022. Details on this are out of scope for this blog post.

2. Install Go

An ARM version that runs on Raspberry Pi is now downloadable, so you no longer have to build it yourself.